Additional Materials:

Contact:

Biometrics technologies that collect and facilitate the sharing of fingerprint records, and other identity data, are important to national security and federal agencies recognize the need to share such information. The Department of Defense (DOD) plans to spend $3.5 billion for fiscal years 2007 to 2015 on biometrics. GAO was asked to examine the extent to which DOD has (1) adopted standards and taken actions to facilitate the collection of biometrics that are interoperable with other key federal agencies, and (2) shares biometric information across key federal agencies. To address these objectives, GAO reviewed documents including those related to standards for collection, storage, and sharing of biometrics; visited selected facilities that analyze and store such information; and interviewed key federal officials.

DOD has adopted a standard for the collection of biometric information to facilitate sharing of that information with other federal agencies. DOD recognized the importance of interoperability and directed adherence to internationally accepted biometric standards. DOD applied adopted standards in some but not all of its collection devices. Specifically, a collection device used primarily by the Army does not meet DOD adopted standards. As a result, DOD is unable to automatically transmit biometric information collected to federal agencies, such as the Federal Bureau of Investigation (FBI). For example, this device is responsible for 13 percent of the records maintained by DOD--the largest number of submissions collected by a handheld device, according to DOD. Further, this constitutes approximately 630,000 DOD biometric records that cannot be searched automatically against FBI's approximately 94 million. DOD has not taken certain actions that would likely improve its adherence to standards, all of which are based on criteria from the Standard for Program Management, the National Science and Technology Council, and the Office of Management and Budget guidance, respectively. First, DOD does not have an effective process, procedure, or timeline for implementing updated standards. Second, DOD does not routinely test at sufficient levels of detail for conformance to these standards. Third, DOD has not fully defined roles and responsibilities specifying accountability needed to ensure its collection devices meet new and updated standards. DOD is sharing its biometric information and has an agreement to share biometric information with the Department of Justice, which allows for direct connectivity and the automated sharing of biometric information between their biometric systems. DOD's ability to optimize sharing is limited by not having a finalized sharing agreement with DHS, and its capacity to process biometric information. Currently, DOD and DHS do not have a finalized agreement in place to allow direct connectivity between their biometric systems. DOD is working with DHS to develop a memorandum of understanding to share biometric information now scheduled for completion in May 2011; however, without the agreement, it is unclear whether direct connectivity will be established between DOD and DHS, which affects response times to search queries. Further, agencies' biometric systems have varying system capacities based on their mission needs, which affects their ability to similarly process each other's queries for biometric information. As a result, DOD and other agency officials have expressed concern that DOD's biometric system may be unable to meet the search demands from their other biometric systems over the long-term. DOD officials do not believe that they need to match other agencies' biometric system capacities because they do not anticipate receiving the same number of queries given differences in mission. However, the advancements other agencies make in their biometric systems may continue to overwhelm DOD's efforts as it works to identify its long-term biometric system capability needs and associated costs. To improve DOD's ability to collect and share information, GAO recommends that DOD implement processes for updating and testing biometric collection devices to adopted standards; fully define and clarify the roles and responsibilities for all biometric stakeholders; finalize an agreement with the Department of Homeland Security (DHS); and identify its long-term biometric system capability needs. DOD agreed with all of GAO's recommendations.

Recommendations for Executive Action

Status: Open

Comments: In response to GAO's report, DOD noted that the department is taking a number of steps to implement a process for updating its biometric collection devices to conform to adopted standards, including (1) drafting an Electronic Biometric Transmission Specification (EBTS) conformance policy which entered the formal staffing process in July 2014; (2) identifying requirements for conformance and compliance and posting the requirements on the Defense Forensics and Biometrics Agency website; (3) requesting in the short term that each service, component, and agency work through biometrics test-related issues through a respective Operational Test Agency; and, (4) coordinating with the Joint Interoperability Test Command to transition biometric test responsibility to that command. The Department did not provide an estimate of when all of these steps will be completed.

Recommendation: To improve DOD's ability to collect and help ensure that federal agencies are sharing biometric information on individuals who pose a threat to national security to the fullest extent possible, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, in collaboration with other key federal agencies and internal DOD stakeholders, including DOD's Biometric Identity Management Agency (BIMA), U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force, to implement a process for updating collection devices to adopted standards to help ensure that all DOD systems related to biometrics, including collection devices, conform to adopted standards.

Agency Affected: Department of Defense

Status: Open

Comments: In response to GAO's report, DOD stated that it has determined that the Defense Forensics and Biometrics Agency will no longer conduct biometrics conformance testing for collection devices. Instead, once the Electronic Biometric Transmission Specification (EBTS) conformance policy is released, testing in the short term will be performed by each military service, component, or agency through their own operational test agencies. Eventually, DOD plans to transition testing to the Joint Interoperability Test Command.The Department did not provide an estimate of when when its process for testing collection devices will be in place.

Recommendation: To improve DOD's ability to collect and help ensure that federal agencies are sharing biometric information on individuals who pose a threat to national security to the fullest extent possible, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force, to implement a process for testing collection devices at a sufficiently detailed level to help ensure that all DOD systems related to biometrics, including collection devices, conform to adopted standards.

Agency Affected: Department of Defense

Status: Open

Comments: In response to GAO's report, DOD indicated that it is still updating DOD Directive 8521.01E "Defense Biometrics," which establishes policy, assigns responsibilities, and describes procedures for DOD biometrics. The draft is currently in the process of entering formal staffing, and the department did not provide an estimate of when this directive will be completed.

Recommendation: To improve DOD's ability to collect and help ensure that federal agencies are sharing biometric information on individuals who pose a threat to national security to the fullest extent possible, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force, to more fully define and further clarify the roles and responsibilities needed to achieve DOD's biometric program and objectives for all stakeholders that include ensuring collection devices conform to adopted standards.

Agency Affected: Department of Defense

Status: Closed - Implemented

Comments: On February 14, 2011, we provided DOD a draft of this report and comment. In response to our draft recommendation, and while the report was under review, DOD finalized an agreement with DHS regarding biometric sharing on March 2, 2011.

Recommendation: To improve DOD's ability to collect and help ensure that federal agencies are sharing biometric information on individuals who pose a threat to national security to the fullest extent possible, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force, to complete the memorandum of agreement with the Department of Homeland Security regarding the sharing of biometric information as appropriate and consistent with U.S. laws and regulations and international agreements, as well as information-sharing environment efforts.

Agency Affected: Department of Defense

Status: Open

Comments: In response to GAO's report, DOD noted it is currently scheduled to deploy version 1.2 of its Automated Biometric Identification System (ABIS) by the fourth quarter of fiscal year 2014. ABIS 1.2 has demonstrated the capability to achieve more than 30,000 daily transactions and is scalable to approximately 45,000 daily transactions. DOD and the Department of Homeland Security (DHS) are also exploring alternative data sharing strategies, with efforts underway to pilot the ingestion of most DOD biometric records into DHS's biometric database. While DOD had planned to address its long-term biometric system capability needs with the Biometric Enabled Capability (BEC) Capability Development Document (CDD), the Joint Staff determined the BEC CDD to be too costly and it has been archived with no near-term plans to revisit it. In the meantime, the Army will be conducting an update to their 2010 analysis of alternatives in the Summer of 2014 to investigate other options to achieve an affordable biometric store/match/share capability.

Recommendation: To improve DOD's ability to collect and help ensure that federal agencies are sharing biometric information on individuals who pose a threat to national security to the fullest extent possible, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force, to identify its long-term biometric system capability needs, including the technological capacity and associated costs needed to support both the warfighter and to facilitate sharing of biometric information across federal agencies, and take steps to meet those capability needs, as appropriate and consistent with U.S. laws and regulations, international agreements, and available resources.